Neutrino Exploit Kit sends GootKit and more

UPDATED:
I uploaded the Flash Exploit to Malwr.com

ASSOCIATED DOMAINS:

  • 85.93.0.33 – vat.svatos.co.uk – EITEST GATE
  • 108.61.221.86 – qxmmltgax.yoqanteater.top – Neutrino LANDING PAGE
  • 204.155.30.124:80 – GootKit Command and Control
  • 204.155.30.124:443 – GootKit POST INFECTION TRAFFIC

 

IMAGES and DETAILS:

Shown above: EITEST gate and Neutrino landing page

 

Shown above: Packets 2804 and 2892 shows EITEST gate, packet 3609 shows Neutrino flash exploit and packet 3842 shows malicious payload delivered via “application/octet-stream”

 

qxmmltgax-yoqanteater-top3Shown above: Partial contents of packet 3842

 

Shown above: Post infection traffic to GootKit Command and Control

 

Shown above: GootKit post infection traffic using self signed certificate “My Company”

 

Shown above: Latest Emerging Threats Rule Set detecting GootKit using Snort command (snort -r c:\snort\log\filename.pcap -l c:\snort\log -c c:\snort\etc\snort.conf)

 

Shown above: Windows Registry entry associated with file-less GootKit

 

NEUTRINO POST INFECTION ARTIFACTS:

REFERENCES:
www.cyphort.com
Proofpoint Emerging Threats